Using Automation assets
Use IBM Automation foundation assets (Automation assets) to store, manage, and retrieve integration assets.
About Automation assets
Automation assets is an instance type that enables you to store, manage, and share integration assets. Assets (such as JSON schemas) that are stored within the Automation assets repository can be accessed directly from the user interface of certain instances. For example, an OpenAPI specification asset stored in the repository can be directly imported within an API management instance.
Assets can be located in remote repositories, such as Git, so that you can take advantage of the versioning feature offered by the remote repository. Assets that are stored in a remote repository are read-only.
To add assets, click the Add Assets button. You then get a prompt to add an asset from your machine. You can also add assets that are located in remote repositories, such as Git. In this way, you can take advantage of the versioning functionality that is offered by the remote repository. Assets that are stored in a remote repository are read-only. For more information, see Remotes.
Providing user access
Automation assets provides fine-grained authorization by using Keycloak. For more information about Keycloak, see Managing users in Keycloak.
Each instance of Automation assets has its own Keycloak client. The Keycloak client is named <instance_name>-<namespace>-ar-keycloak
and it defines the roles and permissions needed to authorize the actions on that Automation assets instance.
You can assign specific roles to users on the Access control page. These roles control what actions each user can perform.
Roles
Automation assets defines the following roles:
assets-admin
assets-editor
assets-viewer
In addition, Automation assets allows the integration
roles admin
and viewer
to perform the same actions as the assets-admin
and assets-viewer
roles, respectively. For more information, see Cloud Pak for Integration roles and permissions.
To get the Automation assets roles in the Keycloak UI, click the Automation assets Keycloak client option, then click the Roles tab.
Actions
Automation assets allows different actions to be applied to the repository. These actions are grouped with their available permissions, as follows:
catalogs - create, read, delete
assets - create, read, update, delete, approve
remotes - create, read, update, delete
Actions and associated roles
The following table lists each action with an available permission (for example, assets.create
) and the roles that are allowed to perform them.
Action | Roles |
---|---|
assets.create | assets-admin , assets-editor |
assets.read | assets-admin , assets-editor , assets-viewer |
assets.update | assets-admin , assets-editor |
assets.delete | assets-admin , assets-editor |
assets.approve | assets-admin |
remotes.create | assets-admin |
remotes.read | assets-admin , assets-editor , assets-viewer |
remotes.update | assets-admin |
remotes.delete | assets-admin |
File-type viewers
Built into the Automation assets is support for viewers corresponding to different file types. Files are automatically opened in their associated viewer when selected from either the scroll view or the assets table.
All nonbinary text files have an option to view the associated text underlying the file. If the asset type does not have additional viewer support, the default text viewer is presented. However, if there is additional viewer support, the text view can be opened by clicking the Code button.
These asset types have additional support:
Open API - Explore the details of an Open API specification asset stored in the repository. Click any particular call to see further details. Click Code to see the actual code.
JSON Schema - Explore the details of a JSON schema by selecting a particular field. Click Code to see the actual code.
Designer API Implementation and Designer Event Driven Flow - The viewer lets you review the contents of the given asset and it also presents cards presenting either the API or the event connections between different triggers.
PDF - The visualizer lets you to review the contents of a PDF file.
Image - The image viewer lets you to view image files, provided they are of one of the supported types listed above.
Avro Schema - The visualizer validates webhook configurations so you can review JSON records for Avro schemas.
Robotic Process Automation Bot - The visualizer lets you to see the associated contents of the Robotic Process Automation Bot.
Custom Resource Asset Types - Store and reuse custom resources for CP4I components to streamline configuration and deployment.
Remotes
The Automation assets can include assets in a remote Git repository. Any Git implementation can be used, as long as it supports one of the following:
No authorization
SSH key authorization
Assets stored in a remote repository are read-only.
Click Remotes on the Automation assets. The Remote listing page opens.
To add a new remote repository, click Create Remote. A blank configuration page opens. Complete the fields as needed. The Git URL is automatically tested.
Sync Options
When creating a remote you can select the interval at which remotes are synchronized. This can be done by selecting the dropdown menu under the Automatic sync options
tab, and select from one of the possible intervals.
Synchronization with a git repo is one-way only, from git to Cloud Pak for Integration. Changes made in the git repo source will be synchronized to Automation assets, but changes to imported assets will not be synchronized back to git.
Branch Selector
After adding the remote URL, you can select a remote branch by selecting the branch from the drop down menu under the Branch
label.
Type Selector
When creating a remote, you can select which type of assets are imported from that remote by selecting one of the supported asset types in the Asset types to synchronize
section.
SSH Key Auth
You can use an SSH key to access the remote repository. To use SSH, complete these steps:
Set Use SSH authentication to on to turn on SSH authentication.
Copy the key presented in the dialog.
Configure your Git repository to use the copied key. For instructions, see Adding a new SSH key to your GitHub account in the GitHub documentation.
Set the Git URL to the correct address. For a GitHub repository, this address begins with
git@github.com
.Click Create Remote. Once the synchronization completes, the new remote is listed.
The Automation assets automatically resynchronizes with the remote repository at the interval you set, at the point of adding the remote. Click the Edit icon to set the synchronization interval.
Employing user-supplied keys
You can employ user-supplied SSH keys rather than the default. Complete the following steps to use your own keys:
Locate or generate the SSH keys you want to use. This must be an RSA key, with no newline or whitespace characters.
Make sure the remote repository is configured to use this keypair.
Log in to the cluster using the oc login command.
Change to the namespace used for the Automation assets.
Edit the secret containing the Automation assets keypair.
oc edit secret <instance name>-ibm-integration-asset-repository-ssh-keypair
Set
data:id_rsa
to the base 64 encoded private key anddata:id_rsa.pub
to the base 64 encoded public key.Enable the secret changes to take effect with the following command:
oc scale deployment/<instance name>-ibm-integration-asset-repository-api --replicas=0 oc scale deployment/<instance name>-ibm-integration-asset-repository-api --replicas=3
If you configured Automation assets to automatically synchronize with the remote repository, complete these additional steps:
Click Remotes to see the list of available remote repositories.
Click the Edit icon (pencil icon) for the remote you need to edit.
Select
Never
in the Automatic sync options field.Click Edit Remote. The page with the list of available remotes opens.
Click the  Edit icon for the remote you want to edit.
Select the previously set value in the Automatic sync options field.
Click Edit Remote. The page with the list of available remotes opens.
The new keys are now used. Repeat this process for each remote you want to use new keypairs.
Marking assets as approved
Administrators can mark automation assets as approved. Use this feature to indicate to other users that an asset is approved according to criteria you determine, such as rules from your organization.
Approved assets are marked in the Browse Assets tab with an Approved label or with a checkmark icon in the asset table. You can also filter the assets shown using the Show only approved assets switch.
You can mark assets as approved in the following ways:
When you add an individual asset. In the Add asset page, upload the asset, then set the Mark as approved switch to On.
When you create or edit a remote asset repository. In the Create remote or Edit remote page, set the Mark assets synced from this remote as approved switch to On. This switch applies to all assets that you later import from this repository.
After you add or import an asset. In the Browse Assets tab, find the card for the asset, click the overflow (Options) menu in the card, then click Mark as approved. Alternatively, click the asset in the table to open it, then set the Mark as approved switch to On.
These switches and menu options are disabled if you do not have the assets.admin
role.
NLP-powered asset recommendations (deprecated)
Automation assets provides an AI-powered recommendations feature using Watson natural language processing (NLP) within Designer to provide recommendations from templates that are stored within Automation assets. You can describe your intent by using English natural language, and Watson Insights is used to recommend up to three matching templates that are the best semantic matches for your utterance.
When the feature is enabled, your Automation assets instance includes an auto-created remote that contains App Connect templates. The remote and templates cannot be deleted; they can only be removed if the feature is disabled.
Enabling NLP-powered recommendations for use with Designer
When creating an Automation assets instance, you can enable the Designer NLP-powered features. To do so, set the spec.designerAIFeatures.enabled
value to true
directly in the Automation assets CR.
After you've created your instance, you can also choose to enable the feature by editing the Automation assets CR to set the spec.designerAIFeatures.enabled
value. To specify the NLP image and the associated replica count and resource defaults, see Configuration.
If you are enabling the NLP-powered features in an air-gapped environment, you must update the auto-created remote URL to point to a clone of the App Connect templates Git repository that is hosted on the air-gapped network.
Supported file types
To prevent the upload of malicious files, only the following file types are supported in Automation assets:
Any non-binary text file
Code files:
.json
,.yaml
,.yml
,.avsc
,.wal
Text files:
.zip
,.pdf
Images:
.svg
,.png
,.jpg
,.webp
,.bmp
,.gif
,.avif
Disabling runtime checks
To disable runtime checks, add the annotation com.ibm.cp4i/disable-webhook-runtime-checks: true
to the Automation assets YAML:
metadata:
annotations:
com.ibm.cp4i/disable-webhook-runtime-checks: true
See Configuration for instructions on how to access the YAML.
Configuration
To configure the advanced options, log in to the Platform UI. Click Edit on a deployed instance of automation assets, and then click YAML.
Use the following table for reference.
Replicas
field.Available options:
Field name | Description |
---|---|
Designer AI features | Flag to enable AI-powered asset recommendations. |
Automation assets NLP image | Use a custom image for the Automation assets NLP container. |
Automation assets API image | The Docker registry location for pulling the Automation assets API image |
Automation assets UI image | The Docker registry location for pulling the Automation assets UI image |
Automation assets CouchDB image | The Docker registry location for pulling the Automation assets CouchDB image |
Image pull policy | Configure whether you want images to be pulled every time, only if they're not present, or never |
Image pull secrets | Configure the secret used for pulling images. If you're using the Entitled Registry and have created a secret for that, you should use that secret here. |
Replicas | Number of replicas that each service has. The default is 3. Tip: Couch replicas are fixed during the first installation of your Automation assets. Changes to replicas after installation will only affect the UI and API services. See additional information below the table.
|
Annotations | Additional annotations to be added to Automation assets pods. |
Node Selector | If you wish to assign the pods to a subset of the nodes of your cluster, you can use multiple Node Selectors. For more information, see Assigning Pods to Nodes in the Kubernetes documentation. Note: This setting only applies to Automation assets UI and API pods. CouchDB pods aren't affected. |
Resources | Use the Resources section to override the default resource request and limit values. You can set limit and request values for the Automation assets API, UI, NLP and CouchDB pods. Any values not configured here default to the values listed in "Default values:". For more information about request and limit values, see Requests and limits in the Kubernetes documentation. Important: For a given resource, if you set the request, you must also set the limit, and if you want to set the limit, you must also set the request. CouchDB search and management values are now deprecated and have no effect. To increase the resources available to the CouchDB container, use the "CouchDB db" resource values. Default values: The following values are the defaults for each resource. The request and limit values are the same for each resource. Important: You cannot create an Automation assets with values smaller than the following: Automation assets API CPU: 200m . Automation assets API Memory: 150Mi .Automation assets UI CPU: 200m . Automation assets UI Memory: 150Mi . CouchDB DB CPU: 300m . CouchDB DB Memory: 700Mi |
Storage | Provide two different types of storage classes for use by the Automation assets:
|
* Volume access modes and availability:
Typically, RWO volumes (such as AWS Elastic Block Storage) are not replicated across availability zones (AZ), so Automation assets is pinned to a single AZ and is therefore not available if that AZ goes offline. Some RWO storage types, such as OpenShift Data Foundation Block Storage, do support replication across AZ, so they can be used to improve resilience. If your storage type doesn't support replication across AZ, create backups of your deployment so that you can recover the Automation assets instance if the AZ that contains the RWO volume goes offline permanently. For more information, see Backing up and restoring IBM Cloud Pak for Integration.
The best availability is typically provided by deploying with multiple replicas that are backed by ReadWriteMany (RWX) storage. This configuration ensures that if one of the replicas fails within an Availability Zone (AZ), the service is still available. Further resilience can be achieved using multiple AZs for running the service and replicated RWX storage, which ensures that the service continues if an AZ goes down. For more information on storage options and RWO support, see Storage considerations.
Configuring and reverting the hostname
Configuring a custom hostname
To use a custom hostname, an administrator needs to add the following YAML to the AssetRepository
custom resource. This can be done by using the Platform UI or by using the CLI. For uiHostname
, enter a hostname.
spec:
uiHostname: "example.app.acme.com"
After the spec.uiHostname
value is applied, save the AssetRepository
custom resource and wait until the Automation assets returns a status of Ready
. You can now access Automation assets on the new hostname.
Reverting the custom hostname
Set the environment variables for your Automation assets instance:
export AUTOMATION_ASSETS_NAMESPACE=<namespace_where_automation_assets_instance_is_installed> export AUTOMATION_ASSETS_NAME=<name_of_automation_assets_instance>
Delete
spec.uiHostname
from theAssetRepository
custom resource.oc patch assetrepository ${AUTOMATION_ASSETS_NAME} -n ${AUTOMATION_ASSETS_NAMESPACE} --type='json' --patch '[{ "op": "remove", "path": "/spec/uiHostname" }]'
The Automation assets instance status changes to
Pending
.
When the status of the Automation assets instance changes to Ready
, the previous URL (before you configured a custom hostname) should be usable again.
Storing and managing templates of instances
For information on how to create and import templates that other users can use to create instances, see the "Creating a new template from an existing template" section in Using the Platform UI.